Presentation is loading. Please wait.

Presentation is loading. Please wait.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

Published byMillicent Olivia Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards."— Presentation transcript:

1 The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards

2 Problems we are trying to solve Multiple usernames and passwords Multiple copies of personal data held by third parties Duplication of effort across multiple institutions Publishers and network providers having to interface with multiple systems Difficulty in sharing resources between institutions

3 2003 2004 2005 2006 2007 2008 2009 2010 Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology WMnet & LGfL pilots prove Shibboleth works in UK school sector JISC announce its intention to support federated access management for UK FE/HE. Becta’s business case accepted by DfES Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November LGfL continues regional federation as a production service Personalised online learning space Integrated learning & management systems All LAs members of the federation? Standards Fund Grant 121 (and 121a)

4 Shibboleth Neither an authentication or authorisation system Secure exchange of messages between two parties (Identity Provider and Service Provider) Authentication handled by institution/LA/RBC (devolved authentication) Authorisation achieved by an exchange of attributes (such as ‘member of an institution’) Providers need to sign up to a ‘trust’ agreement An implementation of SAML (Security Assertion Mark-Up Language)

5 Benefits of simplified sign-on and the UK federation For the learner: –Easier access to resources –Privacy preserving –Facilitates anytime, anywhere learning For the institution: –Reduction in administrative burdens for managers and users in schools For the LA/RBC: –Allow for greater aggregation of purchasing content –Facilitate secure sharing of content between authorities For the education sector: –Shared, cross-sector infrastructure –Facilitate access to e-portfolios For the Government: –Strong collaboration between Becta and JISC –Centrally provided services for best possible value

6 Benefits for Service Providers –No need to maintain your own user database Authentication is performed by the IdP Can authorise per institution, role, and/or entitlement –Reduced user support requirements –Reduced compliance burden Less storage/processing of personal data –Accurate implementation of licence conditions –Users take better care of credentials –Organisations take better care of assertions

7 The UK Access Management Federation A group of member organisations who sign up to a set of rules An independent body, managing the trust relationships between members End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) Publishers and resource providers act as ‘service providers’ (SPs)

8 Organisational Structure Funded by DfES & JISC Provided for Schools, FE & HE Operational management by UKERNA Policy & Governance Board –3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal) –3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) –‘Neutral’ Chair (Professor Sir David Watson) Technical Advisory Group –JISC, Becta, RBC, LA, University and College representation

9 What the service provides A set of Rules that binds members: –Make accurate statements to other members –Keep federation systems and data secure –Use personal data correctly (inc. DPA1998) –Resolve problems within the Federation Not by legal action Guidance, examples, support –How to comply with the Rules –How to work with other members Common definitions, etc.

10 What the service provides Operational management –Registration mechanism for SPs and IdPs –Adding new members to the federation & updating existing members’ metadata –Fault finding and trouble shooting –Compatibility testing of server certificates and CA Qualification –Technical and operational documentation –Ongoing federation development –Reporting

11 Resource WAYF Identity Provider Service Provider Web Site 1 Assertion Service I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. Requester Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource © SWITCH

12 Birmingham’s walkthrough SP BGfL+ IdP BGfL Identity Provider UK Access Management Federation

13 LA/RBC roadmap to join the UK federation 1.LA/RBC audit – Review readiness to adopt federated access management. 2.Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification. 3.Authentication Development – Choose and implement a local/regional authentication, or single sign-on system. 4.Implement IdP – Implement Shibboleth Identity Provider software. 5.Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. 6.Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.

14 Core attributes eduPersonScopedAffiliation – does this institution subscribe to the service in question? e.g. member@netherhall.cambs.sch.uk, or student@keele.ac.uk –student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions eduPersonPrincipalName – the ‘NetID’ of the user, e.g. user@school.lea.sch.uk – a persistent identifier across different services eduPersonEntitlement – enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource e.g. “entitled to access financial accounts” Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but... For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient

15 Executive Liaison: a senior role within the LA SCS certificates available from UKERNA Management Liaison: authorised to register entities

16 More information UK federation –http://www.ukfederation.org.ukhttp://www.ukfederation.org.uk High level info on Becta’s site –http://schools.becta.org.uk/index.php?rid=11277http://schools.becta.org.uk/index.php?rid=11277 –http://industry.becta.org.uk/display.cfm?resID=14598http://industry.becta.org.uk/display.cfm?resID=14598 Shibboleth –http://shibboleth.internet2.edu/ (main site)http://shibboleth.internet2.edu/ –http://spaces.internet2.edu/display/SHIB/ (wiki)http://spaces.internet2.edu/display/SHIB/

Download ppt "The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,

Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Similar presentations

Ads by Google